Reminded by a power failure on bc01n0{1,2}, we migrate away from at
least one of them into another server.
We also fix up the startup join parameter to not include the node itself
(which is not necessary, but a nice thing to have nonetheless).
Since bc01n01 was the initial node of the cluster, we also disable the
init job for k0 (which we don't care about anyway).
Change-Id: I3406471c0f9542e9d802d39138e400b5a5e74794
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1176
Reviewed-by: q3k <q3k@hackerspace.pl>
This makes our routers less likely to reject connections when they're
being bruteforced: first, by disabling password auth (which we don't
use, anyway), second by making connection limits a bit less draconian.
Change-Id: I4e1e3b0be85dd5ad07a10610ca28a6f094249d8c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1174
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: implr <implr@hackerspace.pl>
The grapevine says that people were being fined for not supporting a
punycode domain. This was broken in rsh-unbound, so I had to fix it. I
then also realized we never were reloading unbound, so some changes
might've been slow to propagate.
Change-Id: Ie461a2ba27b5f447654a70f56bd73d3732b256ee
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1180
Reviewed-by: q3k <q3k@hackerspace.pl>
This removes the need to source env.{sh,fish} when working with hscloud.
This is done by:
1. Implementing a Go library to reliably detect the location of the
active hscloud checkout. That in turn is enabled by
BUILD_WORKSPACE_DIRECTORY being now a thing in Bazel.
2. Creating a tool `hscloud`, with a command `hscloud workspace` that
returns the workspace path.
3. Wrapping this tool to be accessible from Python and Bash.
4. Bumping all users of hscloud_root to use either the Go library or
one of the two implemented wrappers.
We also drive-by replace tools/install.sh to be a proper sh_binary, and
make it yell at people if it isn't being ran as `bazel run
//tools:install`.
Finally, we also drive-by delete cluster/tools/nixops.sh which was never used.
Change-Id: I7873714319bfc38bbb930b05baa605c5aa36470a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1169
Reviewed-by: informatic <informatic@hackerspace.pl>
This release removes Let's Encrypt DST Root CA X3 pinning and adds
dynamic secret key generation.
Deployed to production on 2021/10/09
Change-Id: I2b88dc9ab6b67d1c3af277d673702c6a1b3188db
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1161
Reviewed-by: q3k <q3k@hackerspace.pl>
Let's make things simpler and just build/run stuff that we deem
critical.
Change-Id: I356efaac4c8af276aaaa0a141a70f35da19c6957
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1166
Reviewed-by: q3k <q3k@hackerspace.pl>
This makes the hscloud readTree object available as following in NixOS
modules:
{ config, pkgs, workspace, ... }: {
environment.systemPackages = [
workspace.hswaw.laserproxy
];
}
Change-Id: I9c8146f5156ffe5d06cb8408a2ce632657990d59
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1164
Reviewed-by: q3k <q3k@hackerspace.pl>
This bitrot at some point. Now it's all freshened up.
Change-Id: Ia7df1ccd9b39d9180131452e9bf18d0fb8fa50d5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1163
Reviewed-by: informatic <informatic@hackerspace.pl>
You can test this using:
bazel run '@io_filippo_age//cmd/age'
The same target can now be used in data dependencies for secretstore
(you'll need to hardcode the runfile path, or use some
Bazel-runfile-resolving library for Python).
This required adding a few dependencies to
third_party/go/repositories.bzl, but also moving golang.org/x/crypto
from that file into WORKSPACE, before gazelle_deps gets loaded (as the
version requested by gazelle_deps is too old). We also moved shlex that
shouldn't have been in WORKSPACE into third_party/go/repositories.bzl.
Otherwise, this was just a few small deps - bumped golang.org/x/crypto,
new golang.org/x/term, new filippo.io/edwards25519. Hooray low
dependency code.
Change-Id: I0e684d88efffde13a3b4e253860aabcb35a3c94d
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1158
Reviewed-by: patryk <patryk@hackerspace.pl>
riot-web containers are no longer published.
We shall also readjust our internal naming for matrix web client from
riot to something more generic at some point.
Change-Id: Ice85af3ae29b587c13a3ba27d13c9bd655d7fcfd
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1145
Reviewed-by: informatic <informatic@hackerspace.pl>
This implements media-repo-proxy, a lil' bit of Go to make our
infrastructure work with matrix-media-repo's concept of Host headers.
For some reason, MMR really wants Host: hackerspace.pl instead of Host:
matrix.hackerspace.pl. We'd fix that in their code, but with no tests
and with complex config reload logic it looks very daunting. We'd just
fix that in our Ingress, but that's not easy (no per-rule host
overrides).
So, we commit a tiny little itty bitty war crime and implement a piece
of Go code that serves as a rewriter for this.
This works, tested on boston:
$ curl -H "Host: matrix.hackerspace.pl" 10.10.12.46:8080/_matrix/media/r0/download/hackerspace.pl/EwVBulPgCWDWNGMKjcOKGGbk | file -
/dev/stdin: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 650x300, components 3
(this address is media-repo.matrix.svc.k0.hswaw.net)
But hey, at least it has tests.
Change-Id: Ib6af1988fe8e112c9f3a5577506b18b48d80af62
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1143
Reviewed-by: q3k <q3k@hackerspace.pl>